Cisco IOS and Native VLANs
- An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
- Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
- When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
- For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
- Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
- It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
- For Cisco switches the Native VLAN ID must match on both end of the trunk.
- By default the Native VLAN is 1.
- My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666” helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.
This message appears when the native VLAN is mismatched on the two Cisco switches:
[sourcecode wraplines=”false” gutter=”false” autolinks=”false”]
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEhernet1/1 (2),
with D-R3550-9B GigabitEthernet0/1 (1)
Corrections and updates welcome 🙂